On Saturday 01 August 2009 17:04:19 Henrique de Moraes Holschuh wrote:
> From: Michael Buesch
>
> Avoid a heap buffer overrun triggered by an integer overflow of the
> userspace controlled "count" variable.
>
> If userspace passes in a "count" of (size_t)-1
On Sunday 02 August 2009 03:50:12 Henrique de Moraes Holschuh wrote:
> > Note that it turns out this is not a real-life bug after all.
> > The VFS code checks count for signedness (high bit set) and bails
> > out if this is the case.
> > Well, it might probably be a good idea to restrict the count
On Sunday 02 August 2009 06:11:13 Len Brown wrote:
> applied w/ simplified check-in commment
>
> thanks,
> Len Brown, Intel Open Source Technology Center
Thanks.
The same discussion applies to the toshiba_acpi patch I sent to you.
--
Greetings, Michael.
nteger overrun by putting an arbitrary limit on the count.
PAGE_SIZE sounds like a sane limit.
Signed-off-by: Michael Buesch
---
This patch is completely untested due to lack of supported device.
The proc file is only writeable by root, so it's probably not exploitable as-is.
---
drivers/pl
On Tuesday 21 July 2009 12:17:47 Michael Buesch wrote:
> On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> > Avoid a heap buffer overrun triggered by an integer overflow of the
> > userspace
> > controlled "count" variable.
> > If userspace passes in
On Tuesday 21 July 2009 12:16:17 Michael Buesch wrote:
> Avoid a heap buffer overrun triggered by an integer overflow of the userspace
> controlled "count" variable.
> If userspace passes in a "count" of (size_t)-1l, the kmalloc size will
> overflow
> to ((si
